← Back to Insights
Third-Party RiskJuly 15, 2026· 7 min read

Dental Practices Are Under Attack. The Breach Usually Starts Somewhere Else.

In 2026, dental patients are being exposed by the millions. The pattern behind the biggest incidents is not a hacked front desk. It is a hacked vendor, DSO, or benefits administrator. Here is what dental practices should do about it.

By Paul Alcock

Key Takeaways

  • The DentaQuest breach exposed 2.6 million people in May 2026, and it was a vendor breach, not a practice being hacked directly.
  • The largest dental-sector incidents are hitting through DSOs, benefits administrators, and IT vendors: DentaQuest (2.6M), Absolute Dental via its IT provider (1.2M+), and Chord Specialty Dental Partners (173,430).
  • Individual practices are being ransomed at a steady clip. Leak-site tracking shows 14 US dental practices posted between May and July 2026, about one every six to seven days, and a single group, CRPxO, claimed four of them.
  • Dental records are high value because they bundle Social Security numbers, government IDs, insurance, and payment data, often on aging IT with little or no security staff.
  • Your largest exposure may be data you do not hold yourself. Vendor and business associate oversight is now the highest-leverage control a dental practice has.

In May 2026, attackers stole 234 gigabytes of data from DentaQuest and, when negotiations broke down, dumped it online. The leak exposed roughly 2.6 million people: names, dates of birth, government-issued IDs, and health insurance details (HIPAA Journal).

Here is the part dental practices need to sit with. Most of the 2.6 million were never DentaQuest's customers in the way they would think of it. They were patients of dental practices that used DentaQuest for benefits administration. Their data was exposed by a company many of them had never heard of, sitting one or two steps removed from the chair they sat in.

That is the real story of the 2026 dental breach wave. The headline is "dental practices under attack," and they are. But the biggest incidents are not somebody hacking a front-desk computer. They are somebody hacking a vendor, a dental service organization, or a benefits administrator that holds patient data for hundreds of practices at once.

The Pattern: It Is a Vendor Problem

Look at the three largest dental-sector incidents of the past year. None of them started inside a dental office.

DentaQuest, 2.6 million people. A benefits administrator, breached in May 2026 by the extortion group ShinyHunters, who exfiltrated the data and published it when they were not paid (HIPAA Journal).

Absolute Dental, more than 1.2 million people. A Nevada group with over 50 locations, breached between February and March 2025 not through its own systems but through its IT vendor. An attacker ran a malicious version of a legitimate software tool through an account belonging to the practice's managed services provider. Absolute Dental agreed to a $3.3 million class-action settlement, with a final approval hearing set for July 2026 (HIPAA Journal, settlement details).

Chord Specialty Dental Partners, 173,430 people. A dental service organization that provides operational support to more than 60 practices across six states. Attackers got into employee email accounts and had access for over a month before anyone noticed (HIPAA Journal).

The common thread is concentration. When one DSO, one benefits platform, or one shared IT provider holds data for dozens or hundreds of practices, a single breach becomes a very large breach. Attackers know this. Going after the aggregator is more efficient than going after each practice, and the payout is bigger.

If you belong to a DSO, use a benefits clearinghouse, or outsource your IT, a meaningful share of your breach risk lives in systems you do not control and cannot see.

Small Practices Are Not Being Skipped

None of this means an independent practice is safe because it is small. If anything, standalone offices are being worked through at a steady clip.

Jackal Group tracks ransomware leak-site postings using ransomware.live, a public database of extortion claims. Between May and July 2026, 14 US dental practices were posted to leak sites, roughly one every six to seven days. One group, which ransomware.live tracks as CRPxO, claimed four of them. That is not a random spread across the sector. It suggests at least one crew has decided dental practices are worth specializing in.

A leak-site posting is a claim, not a confirmed event. It means a group says it has stolen a practice's data and is threatening to publish it, which is not the same as the practice confirming an encryption or breach event. Some of these will turn out to be smaller than claimed. But the cadence over four months is hard to wave away, and it lines up with the cases that have been publicly confirmed.

Those confirmed cases usually start with the most ordinary door there is: email. Bayside Dental had 10,216 patients exposed after the Sinobi ransomware group claimed to have stolen 580 gigabytes of data. Aldrich Pediatric Dentistry lost data on 5,900 people after a single email account was compromised in a phishing attack. A separate phishing incident at a shared vendor swept up multiple practices at once, including Stafford Oral Surgery (7,019 patients) and Garrisonville Dental (5,204). The list continues with names most people have never heard of, from a few hundred patients to more than twenty thousand (HIPAA Journal).

The takeaway is not that small practices are targeted because they are valuable individually. It is that they are targeted because they are reachable. A phishing email works the same whether it lands in a solo practice or a fifty-location group.

Why Dental, Specifically

Dental practices sit at an uncomfortable intersection of high-value data and thin defenses.

The data is rich. A dental record often bundles a Social Security number, a driver's license or passport, insurance details, payment information, and clinical history in one place. On the criminal market, that combination is worth more than a stolen credit card number, because it enables identity theft and insurance fraud, not just a single fraudulent charge.

The defenses are frequently light. Many practices run on aging IT, have no dedicated security staff, and rely entirely on an outside IT provider whose own security they have never verified. Backups are inconsistent. Multi-factor authentication is partial or absent. Email, the single most common entry point, often has no meaningful protection beyond a spam filter.

Put those together and you get exactly what the data shows: a sector where attackers get in easily, find data worth stealing, and face little resistance on the way.

This Is Also Where the Rules Are Going

This pattern is not lost on regulators. The proposed overhaul of the HIPAA Security Rule leans heavily on vendor oversight and on controls like mandatory MFA and encryption that would have blunted several of the incidents above. That rule was recently pushed back to a projected July 2027, but the direction is clear, and the current Security Rule already requires you to manage the risk your business associates carry. For a fuller view of what is coming, see our breakdown of the proposed HIPAA Security Rule changes.

The regulatory expectation and the threat data are pointing at the same place. Your vendors are both your largest exposure and your least-examined one.

What a Dental Practice Should Actually Do

You cannot audit ShinyHunters. You can control who holds your data and how well it is defended. In rough order of leverage:

  • Inventory who touches your patient data. Your practice management vendor, your imaging system, your billing and clearinghouse, your DSO if you have one, and your IT provider. You cannot manage risk you have not listed.
  • Get real business associate agreements in place, and do not stop there. A signed BAA is a legal floor, not evidence that a vendor is secure. Ask each one how they protect your data, whether they use MFA, how they handle backups, and whether they have had a breach. If they cannot answer, that is your answer.
  • Turn on MFA everywhere, starting with email. Email is the entry point in a large share of these incidents. MFA on every account that can reach patient data is the single highest-return control most practices are missing.
  • Lock down remote access and separate your systems. Ransomware crews routinely get in through exposed remote desktop and VPN. Put those behind MFA, limit who can reach them, and keep imaging and clinical systems on a different network segment from front-office administration, so one compromised computer does not hand over the whole practice.
  • Confirm your backups work and can restore fast. Ransomware is only a catastrophe if you cannot recover. Test a restore. Do not assume.
  • Train the front office on phishing. The people opening email all day are the ones being targeted. A short, regular, practical training beats an annual slideshow nobody remembers.
  • Have a plan for the first day. Know who you call, how you notify patients, and what your obligations are before you need to. For the mechanics, see our guide to the first 24 hours after a ransomware attack.

The Bottom Line

Dental practices are being attacked more, and the numbers are getting larger, but the shape of the risk is the part worth internalizing. The million-record breaches are coming through vendors, DSOs, and benefits platforms. The smaller ones are coming through email. Both are addressable, and neither requires an enterprise security budget.

The practices that come through the next two years intact will not be the ones with the most technology. They will be the ones that knew who held their data, insisted those partners could defend it, and closed the ordinary gaps that attackers keep walking through.


Jackal Group helps small and mid-sized dental and healthcare practices assess vendor risk, verify their business associates, and close the security gaps that lead to breaches. See how we work or get in touch to talk through where your practice stands.

Share

Written By

Paul Alcock

Cybersecurity executive with 20+ years of experience across IT and information security, specializing in healthcare and regulated environments.

Want daily threat intelligence?

Our threat intelligence portal delivers daily executive briefs, vulnerability tracking, and healthcare-specific analysis from 50+ sources.

Join the Waitlist →